Mar 15, 2010

Questionable Questions (And Some Answers)

Normally, NSS Labs does not engage in public disputes over our test results. However, AVG’s recent blog post about our recent Operation Aurora test grossly misrepresents the facts in an apparent attempt to discredit the results and testers. We have chosen to respond:

The important fact for AVG’s 110 million users is: AVG Internet Security 9 did not stop the Aurora exploit. This was true when we tested on January 29, 2010. And it was still true when we re-tested with their latest version on March 12, 2010—nearly two months after the initial attack became public. See for yourself in this video (the exploit executes calc.exe as proof).

On AVG’s blog, they claim the following:

“This is a screenshot of AVG blocking the Aurora 0-day attack from the AVG Labs.”

However if you look closely, the screenshot AVG presented shows they were using Firefox, not Internet Explorer. CVE-2010-0249 was a vulnerability in Internet Explorer, not Firefox. Showing Firefox being "protected" displays a fundamental misunderstanding of the nature of the Aurora attack.

"In fact, the exploit is blocked separately by three different security rules of AVG’s product"

We don’t dispute that AVG has rules, but they did not prevent the exploit. This is why proper testing & QA is important. Further, as you can see in the video (using Internet Explorer), we found that AVG’s warning appears after the exploit successfully gained control of the computer and performed remote code execution (calc.exe).

AVG has failed to provide any credible evidence that our test results are incorrect.

From the moment that AVG contacted us with concerns, we sought to share the information required for them to reproduce the attack themselves. The Operation Aurora code was included within the report itself. We have since posted a video on YouTube, and we made it clear that the easiest way to reproduce the test was to use the Metasploit Framework's built-in (free) Aurora exploit and embed a payload of their choice (such as calc.exe). With this free, publicly available information, AVG engineers should have been able to reproduce this attack, as their peers at other vendors have.

However, AVG wanted us to do more…

During our years of testing, we have found that some vendors have abused the time and trust of testers by not doing their homework before making claims that test results are incorrect. We stand by our results. And in cases where vendors insist we have made a mistake, we will work with them to resolve any ambiguities. If it turns out that the vendor is incorrect, we expect to be compensated for our (consulting) time. If we made a mistake, we will publicly correct the error and the vendor bears no cost.

Under these conditions, AVG had nothing to lose if they were confident in their product. That they have chosen a different path speaks volumes.